npm - @elevasis/core - Versions diffs - 0.23.0 → 0.24.1 - Mend

@elevasis/core 0.23.0 → 0.24.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (243) hide show

package/dist/index.d.ts +4343 -2690
package/dist/index.js +1101 -156
package/dist/knowledge/index.d.ts +574 -210
package/dist/knowledge/index.js +104 -1
package/dist/organization-model/index.d.ts +4343 -2690
package/dist/organization-model/index.js +1101 -156
package/dist/test-utils/index.d.ts +483 -109
package/dist/test-utils/index.js +904 -144
package/package.json +3 -3
package/src/README.md +14 -14
package/src/__tests__/publish.test.ts +24 -24
package/src/__tests__/template-core-compatibility.test.ts +9 -12
package/src/_gen/__tests__/__snapshots__/contracts.md.snap +2137 -2093
package/src/_gen/__tests__/scaffold-contracts.test.ts +30 -30
package/src/auth/multi-tenancy/credentials/__tests__/encryption.test.ts +217 -217
package/src/auth/multi-tenancy/credentials/server/encryption.ts +69 -69
package/src/auth/multi-tenancy/credentials/server/kek-loader.ts +37 -37
package/src/auth/multi-tenancy/index.ts +26 -26
package/src/auth/multi-tenancy/invitations/api-schemas.ts +104 -104
package/src/auth/multi-tenancy/memberships/api-schemas.ts +143 -143
package/src/auth/multi-tenancy/memberships/index.ts +26 -26
package/src/auth/multi-tenancy/memberships/membership.ts +130 -130
package/src/auth/multi-tenancy/organizations/__tests__/api-schemas.test.ts +194 -194
package/src/auth/multi-tenancy/organizations/api-schemas.ts +136 -136
package/src/auth/multi-tenancy/permissions.test.ts +42 -42
package/src/auth/multi-tenancy/permissions.ts +123 -123
package/src/auth/multi-tenancy/role-management/api-schemas.ts +78 -78
package/src/auth/multi-tenancy/role-management/index.ts +16 -16
package/src/auth/multi-tenancy/theme-presets.ts +45 -45
package/src/auth/multi-tenancy/types.ts +57 -57
package/src/auth/multi-tenancy/users/api-schemas.ts +165 -165
package/src/business/README.md +2 -2
package/src/business/acquisition/activity-events.test.ts +250 -250
package/src/business/acquisition/activity-events.ts +93 -93
package/src/business/acquisition/api-schemas.test.ts +1883 -1843
package/src/business/acquisition/api-schemas.ts +1492 -1497
package/src/business/acquisition/build-templates.test.ts +240 -240
package/src/business/acquisition/build-templates.ts +98 -98
package/src/business/acquisition/crm-next-action.test.ts +262 -262
package/src/business/acquisition/crm-next-action.ts +220 -220
package/src/business/acquisition/crm-priority.test.ts +216 -216
package/src/business/acquisition/crm-priority.ts +349 -349
package/src/business/acquisition/crm-state-actions.test.ts +153 -153
package/src/business/acquisition/deal-ownership.test.ts +351 -351
package/src/business/acquisition/deal-ownership.ts +120 -120
package/src/business/acquisition/derive-actions.test.ts +129 -104
package/src/business/acquisition/derive-actions.ts +74 -84
package/src/business/acquisition/index.ts +171 -170
package/src/business/acquisition/ontology-validation.ts +309 -0
package/src/business/acquisition/stateful.ts +30 -30
package/src/business/acquisition/types.ts +396 -396
package/src/business/clients/api-schemas.test.ts +115 -115
package/src/business/clients/api-schemas.ts +158 -158
package/src/business/clients/index.ts +1 -1
package/src/business/crm/api-schemas.ts +40 -40
package/src/business/crm/index.ts +1 -1
package/src/business/deals/api-schemas.ts +87 -87
package/src/business/deals/index.ts +1 -1
package/src/business/index.ts +5 -5
package/src/business/projects/types.ts +144 -144
package/src/commands/queue/types/task.ts +15 -15
package/src/execution/core/runner-types.ts +61 -61
package/src/execution/core/sse-executions.ts +7 -7
package/src/execution/engine/__tests__/fixtures/test-agents.ts +10 -10
package/src/execution/engine/agent/core/__tests__/agent.test.ts +16 -16
package/src/execution/engine/agent/core/__tests__/error-passthrough.test.ts +4 -4
package/src/execution/engine/agent/core/types.ts +25 -25
package/src/execution/engine/agent/index.ts +6 -6
package/src/execution/engine/agent/reasoning/__tests__/request-builder.test.ts +24 -24
package/src/execution/engine/index.ts +443 -443
package/src/execution/engine/tools/integration/server/adapters/apify/__tests__/apify-run-actor.integration.test.ts +298 -298
package/src/execution/engine/tools/integration/server/adapters/apify/apify-adapter.test.ts +55 -55
package/src/execution/engine/tools/integration/server/adapters/apify/apify-adapter.ts +107 -107
package/src/execution/engine/tools/integration/server/adapters/apollo/apollo-adapter.test.ts +48 -48
package/src/execution/engine/tools/integration/server/adapters/apollo/apollo-adapter.ts +99 -99
package/src/execution/engine/tools/integration/server/adapters/apollo/index.ts +1 -1
package/src/execution/engine/tools/integration/server/adapters/attio/__tests__/attio-crud.integration.test.ts +363 -363
package/src/execution/engine/tools/integration/server/adapters/attio/fetch/get-record/index.test.ts +162 -162
package/src/execution/engine/tools/integration/server/adapters/attio/fetch/list-records/index.test.ts +316 -316
package/src/execution/engine/tools/integration/server/adapters/clickup/clickup-adapter.test.ts +18 -18
package/src/execution/engine/tools/integration/server/adapters/clickup/clickup-adapter.ts +194 -194
package/src/execution/engine/tools/integration/server/adapters/clickup/index.ts +7 -7
package/src/execution/engine/tools/integration/server/adapters/gmail/gmail-adapter.ts +204 -204
package/src/execution/engine/tools/integration/server/adapters/gmail/gmail-tools.ts +105 -105
package/src/execution/engine/tools/integration/server/adapters/google-calendar/google-calendar-adapter.ts +428 -428
package/src/execution/engine/tools/integration/server/adapters/google-calendar/index.ts +2 -2
package/src/execution/engine/tools/integration/server/adapters/google-sheets/__tests__/google-sheets.integration.test.ts +261 -261
package/src/execution/engine/tools/integration/server/adapters/instantly/instantly-tools.ts +1474 -1474
package/src/execution/engine/tools/integration/server/adapters/millionverifier/millionverifier-tools.ts +103 -103
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/send-email/index.test.ts +88 -88
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/send-email/index.ts +141 -141
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/utils/types.ts +76 -76
package/src/execution/engine/tools/integration/server/adapters/signature-api/signature-api-tools.ts +182 -182
package/src/execution/engine/tools/integration/server/adapters/stripe/stripe-tools.ts +310 -310
package/src/execution/engine/tools/integration/service.test.ts +239 -239
package/src/execution/engine/tools/integration/service.ts +172 -172
package/src/execution/engine/tools/integration/tool.ts +255 -255
package/src/execution/engine/tools/lead-service-types.ts +1005 -1005
package/src/execution/engine/tools/messages.ts +43 -43
package/src/execution/engine/tools/platform/acquisition/company-tools.ts +7 -7
package/src/execution/engine/tools/platform/acquisition/contact-tools.ts +6 -6
package/src/execution/engine/tools/platform/acquisition/list-tools.ts +6 -6
package/src/execution/engine/tools/platform/acquisition/types.ts +280 -280
package/src/execution/engine/tools/platform/email/types.ts +97 -97
package/src/execution/engine/tools/registry.ts +704 -704
package/src/execution/engine/tools/tool-maps.ts +831 -831
package/src/execution/engine/tools/types.ts +234 -234
package/src/execution/engine/workflow/types.ts +195 -197
package/src/execution/external/__tests__/api-schemas.test.ts +127 -127
package/src/execution/external/api-schemas.ts +40 -40
package/src/execution/external/index.ts +1 -1
package/src/index.ts +18 -18
package/src/integrations/credentials/__tests__/api-schemas.test.ts +420 -420
package/src/integrations/credentials/api-schemas.ts +146 -146
package/src/integrations/credentials/schemas.ts +200 -200
package/src/integrations/oauth/__tests__/provider-registry.test.ts +7 -7
package/src/integrations/oauth/provider-registry.ts +74 -74
package/src/integrations/oauth/server/credentials.ts +43 -43
package/src/integrations/webhook-endpoints/__tests__/api-schemas.test.ts +327 -327
package/src/integrations/webhook-endpoints/api-schemas.ts +103 -103
package/src/integrations/webhook-endpoints/types.ts +58 -58
package/src/knowledge/README.md +32 -32
package/src/knowledge/__tests__/queries.test.ts +626 -535
package/src/knowledge/format.ts +99 -99
package/src/knowledge/index.ts +5 -5
package/src/knowledge/published.ts +5 -5
package/src/knowledge/queries.ts +269 -218
package/src/operations/activities/api-schemas.ts +80 -80
package/src/operations/activities/types.ts +64 -64
package/src/organization-model/README.md +149 -149
package/src/organization-model/__tests__/content-kinds-registry.test.ts +210 -210
package/src/organization-model/__tests__/defaults.test.ts +168 -168
package/src/organization-model/__tests__/domains/actions.test.ts +78 -56
package/src/organization-model/__tests__/domains/customers.test.ts +299 -299
package/src/organization-model/__tests__/domains/entities.test.ts +56 -56
package/src/organization-model/__tests__/domains/goals.test.ts +493 -493
package/src/organization-model/__tests__/domains/identity.test.ts +280 -280
package/src/organization-model/__tests__/domains/navigation.test.ts +268 -268
package/src/organization-model/__tests__/domains/offerings.test.ts +414 -414
package/src/organization-model/__tests__/domains/policies.test.ts +323 -323
package/src/organization-model/__tests__/domains/resource-mappings.test.ts +293 -293
package/src/organization-model/__tests__/domains/resources.test.ts +387 -277
package/src/organization-model/__tests__/domains/roles.test.ts +463 -463
package/src/organization-model/__tests__/domains/statuses.test.ts +246 -246
package/src/organization-model/__tests__/domains/systems.test.ts +209 -209
package/src/organization-model/__tests__/domains/topology.test.ts +188 -0
package/src/organization-model/__tests__/flatten-additive-merge.test.ts +362 -361
package/src/organization-model/__tests__/foundation.test.ts +77 -77
package/src/organization-model/__tests__/get-resources-for-system.test.ts +144 -144
package/src/organization-model/__tests__/graph.test.ts +1312 -862
package/src/organization-model/__tests__/icons.test.ts +10 -1
package/src/organization-model/__tests__/knowledge.test.ts +251 -15
package/src/organization-model/__tests__/lookup-helpers.test.ts +438 -438
package/src/organization-model/__tests__/migration-helpers.test.ts +591 -591
package/src/organization-model/__tests__/prospecting-ssot.test.ts +103 -103
package/src/organization-model/__tests__/recursive-system-schema.test.ts +535 -506
package/src/organization-model/__tests__/resolve.test.ts +274 -164
package/src/organization-model/__tests__/schema.test.ts +844 -301
package/src/organization-model/__tests__/surface-projection.test.ts +284 -284
package/src/organization-model/catalogs/lead-gen.ts +144 -144
package/src/organization-model/content-kinds/config.ts +36 -36
package/src/organization-model/content-kinds/index.ts +76 -72
package/src/organization-model/content-kinds/pipeline.ts +68 -68
package/src/organization-model/content-kinds/registry.ts +44 -44
package/src/organization-model/content-kinds/status.ts +71 -71
package/src/organization-model/content-kinds/template.ts +83 -83
package/src/organization-model/content-kinds/types.ts +117 -117
package/src/organization-model/contracts.ts +27 -27
package/src/organization-model/defaults.ts +42 -50
package/src/organization-model/domains/actions.ts +333 -239
package/src/organization-model/domains/customers.ts +78 -78
package/src/organization-model/domains/entities.ts +144 -144
package/src/organization-model/domains/goals.ts +83 -83
package/src/organization-model/domains/knowledge.ts +117 -101
package/src/organization-model/domains/navigation.ts +139 -139
package/src/organization-model/domains/offerings.ts +71 -71
package/src/organization-model/domains/policies.ts +102 -102
package/src/organization-model/domains/projects.ts +14 -14
package/src/organization-model/domains/prospecting.ts +395 -395
package/src/organization-model/domains/resources.ts +202 -124
package/src/organization-model/domains/roles.ts +96 -96
package/src/organization-model/domains/sales.test.ts +218 -218
package/src/organization-model/domains/sales.ts +380 -380
package/src/organization-model/domains/shared.ts +63 -63
package/src/organization-model/domains/statuses.ts +339 -339
package/src/organization-model/domains/systems.ts +217 -172
package/src/organization-model/domains/topology.ts +261 -0
package/src/organization-model/foundation.ts +75 -75
package/src/organization-model/graph/build.ts +1043 -867
package/src/organization-model/graph/index.ts +4 -4
package/src/organization-model/graph/link.ts +10 -10
package/src/organization-model/graph/schema.ts +75 -68
package/src/organization-model/graph/types.ts +71 -64
package/src/organization-model/helpers.ts +289 -241
package/src/organization-model/icons.ts +78 -66
package/src/organization-model/index.ts +128 -125
package/src/organization-model/migration-helpers.ts +247 -244
package/src/organization-model/ontology.ts +658 -0
package/src/organization-model/organization-graph.mdx +110 -90
package/src/organization-model/organization-model.mdx +225 -213
package/src/organization-model/published.ts +299 -222
package/src/organization-model/resolve.ts +146 -91
package/src/organization-model/schema.ts +818 -659
package/src/organization-model/surface-projection.ts +212 -212
package/src/organization-model/types.ts +179 -155
package/src/platform/api/types.ts +38 -38
package/src/platform/constants/versions.ts +3 -3
package/src/platform/index.ts +23 -23
package/src/platform/registry/__tests__/command-view.test.ts +10 -10
package/src/platform/registry/__tests__/resource-link.test.ts +35 -35
package/src/platform/registry/__tests__/resource-registry.integration.test.ts +20 -20
package/src/platform/registry/__tests__/resource-registry.nested-systems.test.ts +245 -245
package/src/platform/registry/__tests__/resource-registry.test.ts +2053 -2053
package/src/platform/registry/__tests__/validation.test.ts +1444 -1259
package/src/platform/registry/command-view.ts +10 -10
package/src/platform/registry/index.ts +103 -103
package/src/platform/registry/resource-link.ts +32 -32
package/src/platform/registry/resource-registry.ts +886 -886
package/src/platform/registry/serialization.ts +295 -295
package/src/platform/registry/serialized-types.ts +166 -166
package/src/platform/registry/stats-types.ts +68 -68
package/src/platform/registry/types.ts +425 -425
package/src/platform/registry/validation.ts +876 -684
package/src/platform/utils/__tests__/validation.test.ts +1084 -1084
package/src/platform/utils/validation.ts +425 -425
package/src/projects/api-schemas.test.ts +39 -39
package/src/projects/api-schemas.ts +291 -291
package/src/reference/_generated/contracts.md +2136 -2093
package/src/reference/glossary.md +76 -76
package/src/scaffold-registry/__tests__/index.test.ts +206 -206
package/src/scaffold-registry/__tests__/schema.test.ts +166 -166
package/src/scaffold-registry/index.ts +392 -392
package/src/scaffold-registry/schema.ts +243 -243
package/src/server.ts +289 -289
package/src/supabase/database.types.ts +3 -0
package/src/test-utils/README.md +37 -37
package/src/test-utils/entities.ts +108 -108
package/src/test-utils/fixtures/memberships.ts +82 -82
package/src/test-utils/index.ts +12 -12
package/src/test-utils/organization-model.ts +65 -65
package/src/test-utils/published.ts +6 -6
package/src/test-utils/rls/RLSTestContext.ts +588 -588
package/src/test-utils/test-utils.test.ts +44 -44

package/src/integrations/credentials/__tests__/api-schemas.test.ts CHANGED Viewed

@@ -1,420 +1,420 @@
-/**
- * Credential API schemas tests
- * Tests all validation schemas for credentials endpoints
- * Focus: Security (path traversal, DoS, mass assignment, type coercion)
- */
-import { describe, it, expect } from 'vitest'
-import {
-  CredentialTypeSchema,
-  CreateCredentialRequestSchema,
-  UpdateCredentialParamsSchema,
-  UpdateCredentialRequestSchema,
-  DeleteCredentialParamsSchema,
-  ListCredentialsResponseSchema
-} from '../api-schemas'
-describe('CredentialTypeSchema', () => {
-  it('accepts valid credential types', () => {
-    // These are the actual types stored in the database
-    expect(CredentialTypeSchema.parse('oauth')).toBe('oauth')
-    expect(CredentialTypeSchema.parse('api-key')).toBe('api-key')
-    expect(CredentialTypeSchema.parse('webhook-secret')).toBe('webhook-secret')
-  })
-  it('rejects invalid credential types', () => {
-    expect(() => CredentialTypeSchema.parse('invalid-type')).toThrow()
-    expect(() => CredentialTypeSchema.parse('')).toThrow()
-  })
-  it('rejects provider names (these are CREDENTIAL_SCHEMAS keys, not stored types)', () => {
-    // OAuth providers store type='oauth', not their provider name
-    expect(() => CredentialTypeSchema.parse('notion')).toThrow()
-    expect(() => CredentialTypeSchema.parse('google-sheets')).toThrow()
-  })
-})
-describe('CreateCredentialRequestSchema', () => {
-  const validPayload = {
-    name: 'gmail-prod',
-    type: 'api-key' as const,
-    value: { apiKey: 'test-key-123' }
-  }
-  describe('valid requests', () => {
-    it('accepts valid credential creation request', () => {
-      const result = CreateCredentialRequestSchema.parse(validPayload)
-      expect(result).toEqual(validPayload)
-    })
-    it('accepts oauth type credentials', () => {
-      const payload = {
-        name: 'notion-dev',
-        type: 'oauth' as const,
-        value: { accessToken: 'token', refreshToken: 'refresh' }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result).toEqual(payload)
-    })
-    it('accepts webhook-secret type credentials', () => {
-      const payload = {
-        name: 'stripe-webhook',
-        type: 'webhook-secret' as const,
-        value: { signingSecret: 'whsec_abc123' }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result).toEqual(payload)
-    })
-  })
-  describe('SECURITY: mass assignment prevention', () => {
-    it('rejects unknown fields (strict mode)', () => {
-      const payload = {
-        ...validPayload,
-        organizationId: 'attacker-org-id', // Injected field
-        createdBy: null // Override creator
-      }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects extra top-level fields', () => {
-      const payload = {
-        ...validPayload,
-        maliciousField: 'value'
-      }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: credential name validation', () => {
-    it('rejects invalid credential names', () => {
-      const payload = { ...validPayload, name: 'gmail prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects path traversal in name', () => {
-      const payload = { ...validPayload, name: '../admin-cred' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects special characters in name', () => {
-      const payload = { ...validPayload, name: 'gmail@prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects names without hyphens', () => {
-      const payload = { ...validPayload, name: 'gmailprod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects underscores', () => {
-      const payload = { ...validPayload, name: 'gmail_prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('auto-lowercases uppercase input', () => {
-      const payload = { ...validPayload, name: 'Gmail-Prod' }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.name).toBe('gmail-prod')
-    })
-  })
-  describe('SECURITY: credential type validation', () => {
-    it('rejects invalid credential types', () => {
-      const payload = { ...validPayload, type: 'invalid-type' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects null type', () => {
-      const payload = { ...validPayload, type: null }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects array as type', () => {
-      const payload = { ...validPayload, type: ['api-key'] }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: credential value validation', () => {
-    it('rejects empty credential value', () => {
-      const payload = { ...validPayload, value: {} }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must not be empty/)
-    })
-    it('rejects non-object value', () => {
-      const payload = { ...validPayload, value: 'string-instead-of-object' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects null value', () => {
-      const payload = { ...validPayload, value: null }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects array as value', () => {
-      const payload = { ...validPayload, value: ['array', 'as', 'value'] }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: DoS prevention - credential value size', () => {
-    it('rejects credential value with too many keys (over 50)', () => {
-      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
-      const payload = { ...validPayload, value: largeValue }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too many keys/)
-    })
-    it('accepts credential value with max keys (50)', () => {
-      const maxValue = Object.fromEntries(Array.from({ length: 50 }, (_, i) => [`key${i}`, 'value']))
-      const payload = { ...validPayload, value: maxValue }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(Object.keys(result.value).length).toBe(50)
-    })
-    it('rejects individual string values over 10KB', () => {
-      const hugeString = 'a'.repeat(10241)
-      const payload = { ...validPayload, value: { apiKey: hugeString } }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too large/)
-    })
-    it('accepts string values at max size (10KB)', () => {
-      const maxString = 'a'.repeat(10240)
-      const payload = { ...validPayload, value: { apiKey: maxString } }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.value.apiKey).toBe(maxString)
-    })
-    it('allows non-string values without size checks', () => {
-      const payload = {
-        ...validPayload,
-        value: {
-          apiKey: 'test',
-          number: 12345,
-          boolean: true,
-          nested: { key: 'value' }
-        }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.value).toEqual(payload.value)
-    })
-  })
-  describe('required fields', () => {
-    it('rejects missing name', () => {
-      const { name: _name, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects missing type', () => {
-      const { type: _type, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects missing value', () => {
-      const { value: _value, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('provider field (OAuth provider identification)', () => {
-    it('accepts OAuth credential with provider', () => {
-      const payload = {
-        name: 'my-dropbox',
-        type: 'oauth' as const,
-        value: { accessToken: 'token', refreshToken: 'refresh' },
-        provider: 'dropbox'
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.provider).toBe('dropbox')
-    })
-    it('accepts request without provider (optional field)', () => {
-      const result = CreateCredentialRequestSchema.parse(validPayload)
-      expect(result.provider).toBeUndefined()
-    })
-    it('accepts various OAuth provider values', () => {
-      const providers = ['dropbox', 'notion', 'google-sheets']
-      for (const provider of providers) {
-        const payload = {
-          name: `my-${provider}`,
-          type: 'oauth' as const,
-          value: { accessToken: 'token' },
-          provider
-        }
-        const result = CreateCredentialRequestSchema.parse(payload)
-        expect(result.provider).toBe(provider)
-      }
-    })
-  })
-})
-describe('UpdateCredentialParamsSchema', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('accepts valid UUID', () => {
-    const result = UpdateCredentialParamsSchema.parse({ credentialId: validUuid })
-    expect(result.credentialId).toBe(validUuid)
-  })
-  it('rejects invalid UUID format', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
-  })
-  it('rejects empty string', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
-  })
-  it('rejects number instead of UUID', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 12345 })).toThrow()
-  })
-})
-describe('UpdateCredentialRequestSchema', () => {
-  const validValue = { apiKey: 'updated-key' }
-  const validName = 'updated-name'
-  describe('valid requests', () => {
-    it('accepts update with value only', () => {
-      const result = UpdateCredentialRequestSchema.parse({ value: validValue })
-      expect(result.value).toEqual(validValue)
-      expect(result.name).toBeUndefined()
-    })
-    it('accepts update with name only', () => {
-      const result = UpdateCredentialRequestSchema.parse({ name: validName })
-      expect(result.name).toBe(validName)
-      expect(result.value).toBeUndefined()
-    })
-    it('accepts update with both value and name', () => {
-      const result = UpdateCredentialRequestSchema.parse({ value: validValue, name: validName })
-      expect(result.value).toEqual(validValue)
-      expect(result.name).toBe(validName)
-    })
-  })
-  describe('SECURITY: strict mode', () => {
-    it('rejects unknown fields', () => {
-      const payload = { value: validValue, unknownField: 'test' }
-      expect(() => UpdateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('validation: at least one field required', () => {
-    it('rejects empty update (no fields)', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({})).toThrow(/At least one field/)
-    })
-    it('rejects update with undefined fields only', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ value: undefined, name: undefined })).toThrow(
-        /At least one field/
-      )
-    })
-  })
-  describe('SECURITY: credential value validation', () => {
-    it('rejects empty value object', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ value: {} })).toThrow(/must not be empty/)
-    })
-    it('rejects value with too many keys', () => {
-      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
-      expect(() => UpdateCredentialRequestSchema.parse({ value: largeValue })).toThrow(/too many keys/)
-    })
-    it('rejects individual string values over 10KB', () => {
-      const hugeString = 'a'.repeat(10241)
-      expect(() => UpdateCredentialRequestSchema.parse({ value: { apiKey: hugeString } })).toThrow(/too large/)
-    })
-  })
-  describe('SECURITY: credential name validation', () => {
-    it('rejects invalid name format', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ name: 'gmail prod' })).toThrow(/must be lowercase/)
-    })
-    it('rejects path traversal in name', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ name: '../admin' })).toThrow(/must be lowercase/)
-    })
-  })
-})
-describe('DeleteCredentialParamsSchema', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('accepts valid UUID', () => {
-    const result = DeleteCredentialParamsSchema.parse({ credentialId: validUuid })
-    expect(result.credentialId).toBe(validUuid)
-  })
-  it('rejects invalid UUID format', () => {
-    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
-  })
-  it('rejects empty string', () => {
-    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
-  })
-})
-describe('ListCredentialsResponseSchema - Provider Field', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('validates response with provider set', () => {
-    const response = {
-      credentials: [
-        {
-          id: validUuid,
-          name: 'dropbox-cred',
-          type: 'oauth',
-          provider: 'dropbox',
-          createdAt: '2026-02-02T00:00:00.000Z'
-        }
-      ]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBe('dropbox')
-  })
-  it('validates response with null provider (non-OAuth credentials)', () => {
-    const response = {
-      credentials: [
-        {
-          id: validUuid,
-          name: 'api-key',
-          type: 'api-key',
-          provider: null,
-          createdAt: '2026-02-02T00:00:00.000Z'
-        }
-      ]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBeNull()
-  })
-  it('validates response with mixed provider values', () => {
-    const response = {
-      credentials: [
-        {
-          id: validUuid,
-          name: 'dropbox-cred',
-          type: 'oauth',
-          provider: 'dropbox',
-          createdAt: '2026-02-02T00:00:00.000Z'
-        },
-        {
-          id: 'b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a22',
-          name: 'api-key',
-          type: 'api-key',
-          provider: null,
-          createdAt: '2026-02-02T00:00:00.000Z'
-        }
-      ]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBe('dropbox')
-    expect(result.credentials[1].provider).toBeNull()
-  })
-})
+/**
+ * Credential API schemas tests
+ * Tests all validation schemas for credentials endpoints
+ * Focus: Security (path traversal, DoS, mass assignment, type coercion)
+ */
+import { describe, it, expect } from 'vitest'
+import {
+  CredentialTypeSchema,
+  CreateCredentialRequestSchema,
+  UpdateCredentialParamsSchema,
+  UpdateCredentialRequestSchema,
+  DeleteCredentialParamsSchema,
+  ListCredentialsResponseSchema
+} from '../api-schemas'
+describe('CredentialTypeSchema', () => {
+  it('accepts valid credential types', () => {
+    // These are the actual types stored in the database
+    expect(CredentialTypeSchema.parse('oauth')).toBe('oauth')
+    expect(CredentialTypeSchema.parse('api-key')).toBe('api-key')
+    expect(CredentialTypeSchema.parse('webhook-secret')).toBe('webhook-secret')
+  })
+  it('rejects invalid credential types', () => {
+    expect(() => CredentialTypeSchema.parse('invalid-type')).toThrow()
+    expect(() => CredentialTypeSchema.parse('')).toThrow()
+  })
+  it('rejects provider names (these are CREDENTIAL_SCHEMAS keys, not stored types)', () => {
+    // OAuth providers store type='oauth', not their provider name
+    expect(() => CredentialTypeSchema.parse('notion')).toThrow()
+    expect(() => CredentialTypeSchema.parse('google-sheets')).toThrow()
+  })
+})
+describe('CreateCredentialRequestSchema', () => {
+  const validPayload = {
+    name: 'gmail-prod',
+    type: 'api-key' as const,
+    value: { apiKey: 'test-key-123' }
+  }
+  describe('valid requests', () => {
+    it('accepts valid credential creation request', () => {
+      const result = CreateCredentialRequestSchema.parse(validPayload)
+      expect(result).toEqual(validPayload)
+    })
+    it('accepts oauth type credentials', () => {
+      const payload = {
+        name: 'notion-dev',
+        type: 'oauth' as const,
+        value: { accessToken: 'token', refreshToken: 'refresh' }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result).toEqual(payload)
+    })
+    it('accepts webhook-secret type credentials', () => {
+      const payload = {
+        name: 'stripe-webhook',
+        type: 'webhook-secret' as const,
+        value: { signingSecret: 'whsec_abc123' }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result).toEqual(payload)
+    })
+  })
+  describe('SECURITY: mass assignment prevention', () => {
+    it('rejects unknown fields (strict mode)', () => {
+      const payload = {
+        ...validPayload,
+        organizationId: 'attacker-org-id', // Injected field
+        createdBy: null // Override creator
+      }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects extra top-level fields', () => {
+      const payload = {
+        ...validPayload,
+        maliciousField: 'value'
+      }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: credential name validation', () => {
+    it('rejects invalid credential names', () => {
+      const payload = { ...validPayload, name: 'gmail prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects path traversal in name', () => {
+      const payload = { ...validPayload, name: '../admin-cred' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects special characters in name', () => {
+      const payload = { ...validPayload, name: 'gmail@prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects names without hyphens', () => {
+      const payload = { ...validPayload, name: 'gmailprod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects underscores', () => {
+      const payload = { ...validPayload, name: 'gmail_prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('auto-lowercases uppercase input', () => {
+      const payload = { ...validPayload, name: 'Gmail-Prod' }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.name).toBe('gmail-prod')
+    })
+  })
+  describe('SECURITY: credential type validation', () => {
+    it('rejects invalid credential types', () => {
+      const payload = { ...validPayload, type: 'invalid-type' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects null type', () => {
+      const payload = { ...validPayload, type: null }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects array as type', () => {
+      const payload = { ...validPayload, type: ['api-key'] }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: credential value validation', () => {
+    it('rejects empty credential value', () => {
+      const payload = { ...validPayload, value: {} }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must not be empty/)
+    })
+    it('rejects non-object value', () => {
+      const payload = { ...validPayload, value: 'string-instead-of-object' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects null value', () => {
+      const payload = { ...validPayload, value: null }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects array as value', () => {
+      const payload = { ...validPayload, value: ['array', 'as', 'value'] }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: DoS prevention - credential value size', () => {
+    it('rejects credential value with too many keys (over 50)', () => {
+      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
+      const payload = { ...validPayload, value: largeValue }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too many keys/)
+    })
+    it('accepts credential value with max keys (50)', () => {
+      const maxValue = Object.fromEntries(Array.from({ length: 50 }, (_, i) => [`key${i}`, 'value']))
+      const payload = { ...validPayload, value: maxValue }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(Object.keys(result.value).length).toBe(50)
+    })
+    it('rejects individual string values over 10KB', () => {
+      const hugeString = 'a'.repeat(10241)
+      const payload = { ...validPayload, value: { apiKey: hugeString } }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too large/)
+    })
+    it('accepts string values at max size (10KB)', () => {
+      const maxString = 'a'.repeat(10240)
+      const payload = { ...validPayload, value: { apiKey: maxString } }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.value.apiKey).toBe(maxString)
+    })
+    it('allows non-string values without size checks', () => {
+      const payload = {
+        ...validPayload,
+        value: {
+          apiKey: 'test',
+          number: 12345,
+          boolean: true,
+          nested: { key: 'value' }
+        }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.value).toEqual(payload.value)
+    })
+  })
+  describe('required fields', () => {
+    it('rejects missing name', () => {
+      const { name: _name, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects missing type', () => {
+      const { type: _type, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects missing value', () => {
+      const { value: _value, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('provider field (OAuth provider identification)', () => {
+    it('accepts OAuth credential with provider', () => {
+      const payload = {
+        name: 'my-dropbox',
+        type: 'oauth' as const,
+        value: { accessToken: 'token', refreshToken: 'refresh' },
+        provider: 'dropbox'
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.provider).toBe('dropbox')
+    })
+    it('accepts request without provider (optional field)', () => {
+      const result = CreateCredentialRequestSchema.parse(validPayload)
+      expect(result.provider).toBeUndefined()
+    })
+    it('accepts various OAuth provider values', () => {
+      const providers = ['dropbox', 'notion', 'google-sheets']
+      for (const provider of providers) {
+        const payload = {
+          name: `my-${provider}`,
+          type: 'oauth' as const,
+          value: { accessToken: 'token' },
+          provider
+        }
+        const result = CreateCredentialRequestSchema.parse(payload)
+        expect(result.provider).toBe(provider)
+      }
+    })
+  })
+})
+describe('UpdateCredentialParamsSchema', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('accepts valid UUID', () => {
+    const result = UpdateCredentialParamsSchema.parse({ credentialId: validUuid })
+    expect(result.credentialId).toBe(validUuid)
+  })
+  it('rejects invalid UUID format', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
+  })
+  it('rejects empty string', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
+  })
+  it('rejects number instead of UUID', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 12345 })).toThrow()
+  })
+})
+describe('UpdateCredentialRequestSchema', () => {
+  const validValue = { apiKey: 'updated-key' }
+  const validName = 'updated-name'
+  describe('valid requests', () => {
+    it('accepts update with value only', () => {
+      const result = UpdateCredentialRequestSchema.parse({ value: validValue })
+      expect(result.value).toEqual(validValue)
+      expect(result.name).toBeUndefined()
+    })
+    it('accepts update with name only', () => {
+      const result = UpdateCredentialRequestSchema.parse({ name: validName })
+      expect(result.name).toBe(validName)
+      expect(result.value).toBeUndefined()
+    })
+    it('accepts update with both value and name', () => {
+      const result = UpdateCredentialRequestSchema.parse({ value: validValue, name: validName })
+      expect(result.value).toEqual(validValue)
+      expect(result.name).toBe(validName)
+    })
+  })
+  describe('SECURITY: strict mode', () => {
+    it('rejects unknown fields', () => {
+      const payload = { value: validValue, unknownField: 'test' }
+      expect(() => UpdateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('validation: at least one field required', () => {
+    it('rejects empty update (no fields)', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({})).toThrow(/At least one field/)
+    })
+    it('rejects update with undefined fields only', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ value: undefined, name: undefined })).toThrow(
+        /At least one field/
+      )
+    })
+  })
+  describe('SECURITY: credential value validation', () => {
+    it('rejects empty value object', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ value: {} })).toThrow(/must not be empty/)
+    })
+    it('rejects value with too many keys', () => {
+      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
+      expect(() => UpdateCredentialRequestSchema.parse({ value: largeValue })).toThrow(/too many keys/)
+    })
+    it('rejects individual string values over 10KB', () => {
+      const hugeString = 'a'.repeat(10241)
+      expect(() => UpdateCredentialRequestSchema.parse({ value: { apiKey: hugeString } })).toThrow(/too large/)
+    })
+  })
+  describe('SECURITY: credential name validation', () => {
+    it('rejects invalid name format', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ name: 'gmail prod' })).toThrow(/must be lowercase/)
+    })
+    it('rejects path traversal in name', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ name: '../admin' })).toThrow(/must be lowercase/)
+    })
+  })
+})
+describe('DeleteCredentialParamsSchema', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('accepts valid UUID', () => {
+    const result = DeleteCredentialParamsSchema.parse({ credentialId: validUuid })
+    expect(result.credentialId).toBe(validUuid)
+  })
+  it('rejects invalid UUID format', () => {
+    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
+  })
+  it('rejects empty string', () => {
+    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
+  })
+})
+describe('ListCredentialsResponseSchema - Provider Field', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('validates response with provider set', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'dropbox-cred',
+          type: 'oauth',
+          provider: 'dropbox',
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBe('dropbox')
+  })
+  it('validates response with null provider (non-OAuth credentials)', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'api-key',
+          type: 'api-key',
+          provider: null,
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBeNull()
+  })
+  it('validates response with mixed provider values', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'dropbox-cred',
+          type: 'oauth',
+          provider: 'dropbox',
+          createdAt: '2026-02-02T00:00:00.000Z'
+        },
+        {
+          id: 'b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a22',
+          name: 'api-key',
+          type: 'api-key',
+          provider: null,
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBe('dropbox')
+    expect(result.credentials[1].provider).toBeNull()
+  })
+})